There is no doubt that even with competing priorities, cybersecurity is top of mind for school districts. However, budget constraints can make it tough for K–12 schools to fully address all their cybersecurity concerns. That could explain why the “Cybersecurity on a Shoestring” session at TCEA 2023 in San Antonio was jampacked.
“The average school spends less than 8 percent of its IT budget on cybersecurity, with 1 in 5 schools committing less than 1 percent,” notes a 2022 report from the Center for Internet Security and the Multi-State Information Sharing and Analysis Center.
In the session, Todd Pauley, deputy CISO and cybersecurity coordinator at the Texas Education Agency, shared a list of free resources designed to help schools address and fill the budget gaps that districts might face.
“There are some tough situations,” Pauley shared. “Schools have so many priorities that they must meet that, unfortunately, a lot of times cybersecurity doesn’t make it to the top.”
He added that “there are no universal requirements in K–12 for cybersecurity, and funding can vary from state to state.”
Click the banner to access exclusive content on educational tech when you register as an Insider.
K–12 Schools Can Find Free, Low-Cost and Open-Source Security Help
Schools often find a glut of cybersecurity information on the web that they must carefully comb through and then determine if it’s viable and trustworthy. Pauley’s presentation was focused on cutting through the noise and sharing vetted resources.
Many of Pauley’s resources were federal and state websites, such as the federal Cybersecurity and Infrastructure Security Agency, MS-ISAC and the Texas Dept of Information Resources. Schools may not be aware of the wide array of information and support available from these government agencies.
Source: Center for Internet Security and MS-ISAC, “K–12 Report: A Cybersecurity Assessment of the 2021-2022 School Year,” November 2022
Pauley recommended several offerings from CISA, including its cybersecurity evaluation tools and cyber hygiene scan. He also found the Texas DIR to be particularly useful as it offers an incident response manual that can help schools prepare for and respond to a cyberattack.
Pauley also discussed the online search engine Shodan.io, a tool he called “terrifying” because threat actors can use it to explore any server connected to the internet. He suggested that schools play offense and use the tool to get clear on which of their servers need to be patched before bad actors discover the vulnerabilities.
WATCH NOW: School cybersecurity experts share cybersecurity best practices.
Use These Bare-Minimum Cybersecurity Practices Today
Even with funding challenges, Pauley said, all schools at a minimum should make sure they install multifactor authentication along with endpoint detection and response.
He shared how schools can improve their email security affordably using the Sender Policy Framework, an email authentication protocol. SPF provides a Domain Name System text record that limits emails from specific IP addresses or services.
Pauley also recommended KeePass, a free, open-source password manager that he says uses highly secure encryption algorithms. He then reiterated some best practices for passwords: include multifactor authentication, use unique passwords for every account, implement zero-trust architecture and segregate admin duties.
LEARN MORE: Why multifactor authentication should no longer be optional in K–12.
Cybersecurity Tools for Educators and Students
While Pauley’s session provided tools that IT professionals can use right away, he did not forget about educators and students. He noted that the Center for Infrastructure Assurance & Security at the University of Texas at San Antonio offers age-appropriate games, activity sheets, stickers and more for K–12 students.
He also mentioned that Microsoft Learn offers a broad range of online courses, including topics on cybersecurity, for technical staff, educators and students.
See Pauley’s full presentation here.
Leave a Comment